Monday, March 22, 2010

Forget ROI and risk. Consider competitive advantage

1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.
Boss: You mean if we adopt your program we're going to earn $1 million dollars?
Security person: No, we'll save $1 million.
Boss: Get out of my office. Come back after you've taken a finance class.



2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.
Boss: What does that mean?
Security guy: Hmm, ok I'll leave now.



3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.
Boss: That's a new one. Tell me more.
Security person: We have adversaries who try to steal, and sometimes do steal, our data.
Boss: So what. Isn't it just World of Warcraft credentials?
Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.
Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...
Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.
Boss: Now you're talking. Sit down, let's discuss this.



"Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.

Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.


Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!


When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.

This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read
Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point."

- source taosecurity

Wednesday, March 10, 2010

Advice for Academic Researchers

Quoted from TaoSecurity Blog's

A blog and book reader emailed the following question:

I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.

My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)?


I post this question because I'm sure blog readers will contribute interesting comments.

For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network. (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.)

Without understanding what is happening, we can't decide if the activity is normal, suspicious, or malicious. Current approaches are far too primitive and limited. This work is not as "shiny" as developing a new detection algorithm, but getting back to basics is the sort of approach that could survive in a research environment.